Lecture 1: Buffer Overflows
|
|
- Barbara Morton
- 5 years ago
- Views:
Transcription
1 CS5431 Computer Security Practicum Spring 2017 January 27, Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This exploit, soon known as Conficker, issued a remote procedure call (RPC) to a target system requesting the file path string \c\..\..\aaaaaaaaaaaaaaaaaaaaaaaaaaaaa This carefully crafted request exploited a bug in the Windows program NetPathCanonicalize on affected Windows machines, triggering a buffer overflow and turning the target machine into a bot under the control of the Conficker botnet. Infected machines checked for instructions from pseudo-randomly generated command-and-control servers; the resulting botnet could be deployed as a service for delivering spam or implementing distributed denial of service (DDOS) attacks. Within two months, an estimated 9-15 million machines were infected. 2 Traditional Stack Smashing A buffer overflow occurs when the data written to a buffer is longer than the space allocated to that buffer. Depending on the location of the allocated buffer and the length of the overflow, additional data written to a buffer might overwrite other data, code, or return addresses. In most cases, an accidental buffer overflow will result in incorrect execution (e.g., when it overwrites other data values), a program crash (e.g., when it overwrites values the target program doesn t have permission to access), or no effect (e.g., when it overwrites values that are not accessed after that point). Malicious buffer overflows, however, can exploit buffer vulnerabilities to force the system to run exploit code. The most common form of buffer overflow attack often called stack smashing the attacker overwriting the return address pointer with a pointer to the exploit code. 2.1 Program Stacks Before we can look at stack smashing in detail, we need to remember some of the details about how stacks are implemented. When programs are executed, the operating system stores relevant state in memory. Executable code is stored at one end of memory, static data is stored next to code, and the stack and the heap occupy the remaining memory. The heap is used for dynamically allocated memory (ie, any time malloc is used). The stack is used primarily for managing nested calls to procedures; it also stores local variables. When a procedure A calls a procedure B, A pushes a stack frame onto the stack; a stack frame is comprised of A s return address (the current value of the program counter), 1-1
2 Procedure A call B B Param 3 B Param 2 B Param 1 Ret Addr Ptr A Stack Ptr A B Local Var 1 B Local Var 2 C Param 2 C Param 1 Ret Addr Ptr B Stack Ptr B Procedure B call C Procedure C Figure 1: The stack configuration after nested procedure calls a pointer to the end of A s section of the stack (used to recover in case B has an error), as well as the parameters for B. Local variables created by B (possibly including buffers) are pushed onto the stack on top of the previous stack frame, and the process iterates when B calls its own subroutines. 2.2 Stack Smashing Attacks In most early examples, the malicious code was written earlier in the same buffer, and the pointer was overwritten to point back to the beginning of the buffer. Note that this requires careful programming to ensure that the exploit code fits in the available space; exploit code is often written directly in assembly code to conserve space. An example is show in Figure 4. Procedure A call B B Param 3 B Param 2 B Param 1 New Ret Addr Ptr New Stack Ptr Overflow Buffer B Local Var 2? Procedure B Buffer[20]; Figure 2: Stack configuration after a traditional stack smashing attack. 1-2
3 2.3 Countermeasure: Stack Canaries Buffer overflows have been a known problem for a long time. The Morris worm leveraged a buffer overflow vulnerability to spread across the ARPANET in Consequently, several differently countermeasures have been developed to defend against such exploits. In 1998, a researcher named Crispin Cowan observed that this attack pattern could be leveraged to defend against buffer overflow attacks. His system, called StackGuard, placed a special value called canary value 1 immediately below the return address pointer. When a procedure returned, the operating system would check the integrity of the canary value; if it had been modified, the system would signal an error. Problem solved? Not quite. The canary value needs to be something that the operating system can efficiently verify. However, if the system uses something simple say the constant value 0xf213ea08 then the defense will work (usually) until the attacker learns about the defense. 2 After learning about the defense, an attacker will modify the exploit to bypass the defense by, say, alternating the value of the malicious address with the canary value. Stackguard employed two alternative methods to prevent an attacker from successfully forging the stack canary. The first method was a stack canary comprised of the common termination symbols for C string libraries: \0, CR, LF, and EOF. An attacker couldn t use common C library functions to embed these characters in an overflow buffer because those functions would terminate when they reached their termination symbol. The second method was 32-bit random number chosen fresh each time the program was run. Since the canary value is chosen fresh each time the program is invoked and is never disclosed to anyone, an attacker is unlikely to guess the correct value to forge. Other types of canaries have also been proposed. So do stack canaries work? They have low overhead, and they do mitigate buffer overflow attacks by making such attacks harder to successfully execute. However, a sufficiently skilled and determined adversary will often be able to bypass a stack canary. 3 Traditional Heap Smashing In early days, defenders focused their efforts on security stack-based buffer overflows. Countermeasures like stack canaries focused exclusively on protecting the integrity of the stack. Overflows that occurred on the heap were assumed not to be exploitable. However, this assumption turned out to be inaccurate. 1 Canary values are named after the canaries traditionally carried by miners. Canaries need more oxygen than humans, so if the oxygen level in the mine dropped, the canary would die, notifying the miners in time for them to safely evacuate. 2 Relying on your defensive techniques remaining a secret a system is often called security through obscurity. It is generally regarded by the security community as ineffective; historically, attackers eventually find out how a system is secured, and defenses that rely on the attacker not knowing the defense strategy have repeatedly been compromised. 1-3
4 3.1 Heaps Heaps contain dynamically allocated memory (e.g., memory returned by malloc). Ever memory allocation a program makes is represented by a data structure called a chunk. A chunk consists of (1) metadata and (2) the memory returned to the program. Chunks are saved to the heap. The chunk metadata structure contains the following fields: INTERNAL_SIZE_T prev_size; /* size of prev chunk (if free) */ INTERNAL_SIZE_T size; /* size of chunk */ struct chunk * fd; /* double links -- used only if free */ struct chunk * bw; size stores the size of the current chunk, in bytes. Since chunks are always 8-byte aligned, the last three bits are redundant and are actually repurposed; the first (least significant) bit is used to indicate whether the previous chunk is currently allocated. prev_size stores the size of the previous chunk, if the previous chunk is currently free. Chunk C (in use) size C ( ) prev size C (null) Chunk B (in use) size B ( ) prev size B (01101) Chunk A (free) bk A fw A size A ( ) prev size A Figure 3: Example heap configuration showing one free chunk and two in-use chunks. Free chunks are stored by size in doubly linked lists using the pointer fields fw and bk. When a chunk is freed, it checks whether the chunk in front of it is already free (by checking the least significant bit of its size field). If so, it merges the two chunks and move the combined chunk to the doubly-linked list for free chunks of the new (combined) size. If not, it simply adds itself to the doubly-linked list for free chunks of its own size. Meta-data for in-use chunks does not contain the pointer fields fw and bk; the memory returned to the program starts where fw was stored prior to allocation. 1-4
5 Chunk C (in use) size C ( ) prev size C (00110) Exploit code fake bk B fake fw B size B ( ) prev size B (NULL) fptr Figure 4: Heap configuration after a buffer overflow attack (before Chunk B is freed). 3.2 Heap Smashing Attacks The key observation that enables heap smashing attacks is that removing an element from a doubly-linked list involves overwriting memory locations (supposedly the fw and bk pointers of the adjacent chunks) with new values (supposedly linking those two chunks together). A successful heap smashing attack proceeds by (1) writing a fake fw pointer (pointing to a targeted function pointer) to the beginning of buffer, (2) writing a fake bk pointer (pointing at the next memory addresss, soon to contain exploit code) to the second address of the buffer, (3) writing the exploit code starting from the third address of the buffer, (4) overwritting prev_size field of the next chunk to contain the size of the current chunk, and (5) overwriting the sizefield of the next chunk to indicate that the target chunk is free. When the next chunk is freed, the memory management code will (incorrectly) observe that the previous chunk is already free and will move the merged two chunks to the appropriate doubly-linked list of free chunks; the unlinking code will copy the value of bk (now the location of the exploit code) to the location indicated by fw (now the target function pointer). When the function pointer is subsequently dereferenced, the exploit code will be run. 3.3 Countermeasure: Memory Tagging In a tagged architecture, every machine word has one or more bits that encode the access permissions for that word. These access bits can be set only by priviledged (OS) instructions. The bits are tested every time the word is accessed. Attempts to access a word without appropriate permissions result in an error. Access bits can also distinguish types of access (read, write, execute) or classes of data (numeric, character, address, or pointer). A tagged architecture could effectively mitigate buffer overflow attacks by designating return address pointers as privileged words and/or as pointer words. However, tagged architectures are not generally compatible with legacy code. And most current operating 1-5
6 systems (including Windows, Mac OS and most Linux flavors) include legacy code dating back twenty years or more. Tagged architectures have been deployed in some systems (page-level tagging is also now available on most processors), and more are under development by major vendors like Intel, but the lack of code compatibility has precluded widespread use. A software analog of hardware tagging is Write or Execute only (W X) pages, sometimes called executable space protection. Under this approach memory is tagged in software at the granularity of a page as either writable or executable, but not both. Executable space protection is widely deployed; it has shipped with Windows since XP SP2, with OX X since Leopard (10.5), and is available on most Linux flavors. When this defense is enabled, an attacker will be unable to execute code written to writable pages (e.g., code written inside the overflowed buffer) thereby nullifying traditional buffer overflow attacks targeting either the heap or the stack. However, some applications (e.g., Javascript, Flash) rely on an executable stack. Also, sophisticated attackers can sometimes trigger a memory mapping routine that marks the attack code as executable, bypassing executable space protections. 4 Code-reuse Attacks Code-reuse attacks are a class of advanced stack smashing techniques that bypasses the protection offered by executable space protection. At a high level, instead of altering the return address pointer to point to code that has just been written on the stack, codereuse attacks overwrite the pointer to point to code that already resides on the target system, either functions in the target program or functions in loaded libraries. Code-reuse attacks work by overwriting the return address pointer to point to the location of the appropriate code in memory, overwriting the stack addresses beyond the new return address pointer with a fake stack frame for the new function, and overwriting the stack pointer to point to the beginning of the fake stack frame. Complex exploits can be constructed by chaining together available functions. An example code-reuse attack is depicted in Figure Return-into-libc A common class of code-reuse attacks known as return-into-libc attacks targets code in the standard c library. For example, in the example shown in Figure 5, the attacker executes the function exec("/bin/sh"). This approach is powerful because libc includes the system call API and because it is loaded into every Unix program. In fact, the functions in libc form a Turing complete programming language. 1-6
7 Procedure A call B exec? \sh\0" "\bin String Ptr Fake Ret Addr Ptr Fake Stack Ptr New Ret Addr Ptr New Stack Ptr OverFlow Buffer B Local Var 2 Procedure B Buffer[20]; Figure 5: Stack configuration after a return-into-libc attack. 4.2 Countermeasure: Address-Space Layout Randomization The key observation behind address-space layout randomization (ASLR) is that many buffer overflow attacks rely on knowing the location in memory of the exploit code the attacker wishes to use. ASLR renders this difficult by randomizing the memory layout: the base addresses of the stack, heap, code, and memory mapped segments are randomized at load and link time. This ensures that hardcoded addresses are unlikely to point to the desired code when the attack targets a particular system. This approach was initially highly-effective against many forms of buffer overflow attacks, although attacks that rely exclusively on relative addresses continued to be effective. ASLR was widely deployed in both Linux and OpenBSD. Derandomization techniques (Windows Vista, for example, only used 8 heap and 14 stack bits of randomness) have since eroded the effectiveness of ASLR on 32-bit machines. Derandomization attacks on 64 bit machines take several minutes and are thus often detectable, but can still be successfully executed in some contexts. 4.3 Countermeasure: Language Support High level languages are compiled into machine code before they are executed. During this phase, the compiler has the option to introduce additional checks. For example, when presented with an array access, the compiler could introduce bounds checks, logically replacing loop (a) with loop (b): Compilers can also execute type checks, ensuring that the data assigned to a location has the appropriate type for that location Language support effectively eliminates vulnerabilities like buffer overflows. However, much legacy code was written in lower level languages without such checks, so vulnerabilities remain. Introducing such checks also imposes a performance cost, so programmers continue to write code and produce vulnerabilities in non-safe languages. 1-7
8 int a[20]; for(int i=0; i<max; i++){ a[i]=0; } (a) Loop without bounds checks int a[20]; for(int i=0;i<max;i++){ if(i<0) signal error; if(i>=20) signal error; a[i]=0; } (b) Loop with bound checks 5 Back to Conficker So what was the story with Conficker? The buffer overflow overwrote a return address pointer to execute shell code that downloaded and installed a malicious.dll containing the actual worm. The malicious library ran an HTTP server that downloaded and ran code from pseudorandomly computed servers every 30 minutes, resulting in a large and powerful botnet under the control of Conficker s authors. 1-8
CSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationHeap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Homework 1 Due: Wednesday, February 9, at 9:59pm Instructions. Submit your solution by Wednesday, February 9, at 9:59pm, in the drop box labelled CS161 in 283
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationModern Buffer Overflow Prevention Techniques: How they work and why they don t
Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationBuffer Overflow Attacks
Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationBuffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.
Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationStack Overflow COMP620
Stack Overflow COMP620 There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don t know
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationSoftware Security: Buffer Overflow Defenses and Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationFundamentals of Computer Security
Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?
More informationBuffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, 2011. 1 Introduction to the topic
More informationQPSI. Qualcomm Technologies Countermeasures Update
QPSI Qualcomm Technologies Countermeasures Update 1 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationBuffer Overflow and Format String Overflow Vulnerabilities
Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2002 Buffer Overflow and Format String Overflow Vulnerabilities Kyung-suk Lhee Syracuse
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 8 Arbitrary Code Execution: Threats & Countermeasures
More informationNew York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam
New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 6 Low Level Software Security IV: Heap Corruption Memory management in C The C programming language uses explicit memory management Data is
More informationLecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago
Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version
More informationCOMP3441 Lecture 7: Software Vulnerabilities
COMP3441 Lecture 7: Software Vulnerabilities Ron van der Meyden (University of New South Wales Sydney, Australia) April 22, 2013 Overview Buffer overflow attacks SQL injection attacks Defensive measures
More informationSyed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut
CSE 5095 & ECE 6095 Spring 2016 Instructor Marten van Dijk System Security Lecture 1 Buffer Overflows Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut Email:
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationStack Overflow. Faculty Workshop on Cyber Security May 23, 2012
Stack Overflow Faculty Workshop on Cyber Security May 23, 2012 Goals Learn to hack into computer systems using buffer overflow Steal sensitive data Crash computer programs Lay waste to systems throughout
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationSurvey of Cyber Moving Targets. Presented By Sharani Sankaran
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationBuffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationDieHarder: Securing the Heap
DieHarder: Securing the Heap Gene Novark Emery D. Berger Dept. of Computer Science University of Massachusetts Amherst Amherst, MA 01003 gnovark@cs.umass.edu, emery@cs.umass.edu Abstract Heap-based attacks
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationDefense against Code-injection, and Code-reuse Attack
Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationCS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES
CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES Your name: SUNet ID: In accordance with both the letter and the spirit of the Stanford Honor Code, I did not cheat on this exam. Furthermore,
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 2 Local Variables
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated
More informationCSc 466/566. Computer Security. 20 : Operating Systems Application Security
1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian
More information